Postfix Small/Home Office Hints and Tips


Overview

This document combines hints and tips for "small office/home office" applications into one document so that they are easier to find. The text describes the mail sending side only. If your machine does not receive mail directly (i.e. it does not have its own Internet domain name and its own fixed IP address), then you will need a solution such as "fetchmail", which is outside the scope of the Postfix documentation.

See the SASL_README and STANDARD_CONFIGURATION_README documents for further information on these topics.

Postfix on a stand-alone Internet host

Postfix should work out of the box without change on a stand-alone machine that has direct Internet access. At least, that is how Postfix installs when you download the Postfix source code via https://www.postfix.org/.

You can use the command "postconf -n" to find out what settings are overruled by your main.cf. Besides a few pathname settings, few parameters should be set on a stand-alone box, beyond what is covered in the BASIC_CONFIGURATION_README document:

/etc/postfix/main.cf:
    # Optional: send mail as user@domainname instead of user@hostname.
    #myorigin = $mydomain

    # Optional: specify NAT/proxy external address.
    #proxy_interfaces = 1.2.3.4

    # Alternative 1: don't relay mail from other hosts.
    mynetworks_style = host
    relay_domains =

    # Alternative 2: relay mail from local clients only.
    # mynetworks = 192.168.1.0/28
    # relay_domains =

See also the section "Postfix on hosts without a real Internet hostname" if this is applicable to your configuration.

Postfix on hosts without a real Internet hostname

This section is for hosts that don't have their own Internet hostname. Typically these are systems that get a dynamic IP address via DHCP or via dialup. Postfix will let you send and receive mail just fine between accounts on a machine with a fantasy name. However, you cannot use a fantasy hostname in your email address when sending mail into the Internet, because no-one would be able to reply to your mail. In fact, more and more sites refuse mail addresses with non-existent domain names.

Note: the following information is Postfix version dependent. To find out what Postfix version you have, execute the command "postconf mail_version".

Solution 1: Postfix version 2.2 and later

Postfix 2.2 uses the generic(5) address mapping to replace local fantasy email addresses by valid Internet addresses. This mapping happens ONLY when mail leaves the machine; not when you send mail between users on the same machine.

The following example presents additional configuration. You need to combine this with basic configuration information as discussed in the first half of this document.

1 /etc/postfix/main.cf:
2     smtp_generic_maps = hash:/etc/postfix/generic
3 
4 /etc/postfix/generic:
5     his@localdomain.local             hisaccount@hisisp.example
6     her@localdomain.local             heraccount@herisp.example
7     @localdomain.local                hisaccount+local@hisisp.example

When mail is sent to a remote host via SMTP:

Specify dbm instead of hash if your system uses dbm files instead of db files. To find out what lookup tables Postfix supports, use the command "postconf -m".

Execute the command "postmap /etc/postfix/generic" whenever you change the generic table.

Solution 2: Postfix version 2.1 and earlier

The solution with older Postfix systems is to use valid Internet addresses where possible, and to let Postfix map valid Internet addresses to local fantasy addresses. With this, you can send mail to the Internet and to local fantasy addresses, including mail to local fantasy addresses that don't have a valid Internet address of their own.

The following example presents additional configuration. You need to combine this with basic configuration information as discussed in the first half of this document.

 1 /etc/postfix/main.cf:
 2     myhostname = hostname.localdomain
 3     mydomain = localdomain
 4 
 5     canonical_maps = hash:/etc/postfix/canonical
 6 
 7     virtual_alias_maps = hash:/etc/postfix/virtual
 8 
 9 /etc/postfix/canonical:
10     your-login-name    your-account@your-isp.com
11 
12 /etc/postfix/virtual:
13     your-account@your-isp.com       your-login-name

Translation:

Specify dbm instead of hash if your system uses dbm files instead of db files. To find out what lookup tables Postfix supports, use the command "postconf -m".

Execute the command "postmap /etc/postfix/canonical" whenever you change the canonical table.

Execute the command "postmap /etc/postfix/virtual" whenever you change the virtual table.

Enabling SASL authentication in the Postfix SMTP/LMTP client

This section shows a typical scenario where the Postfix SMTP client sends all messages via a mail gateway server that requires SASL authentication.

Trouble solving tips:

To make the example more readable we introduce it in two parts. The first part takes care of the basic configuration, while the second part sets up the username/password information.

/etc/postfix/main.cf:
    smtp_sasl_auth_enable = yes
    smtp_tls_security_level = encrypt
    smtp_sasl_tls_security_options = noanonymous
    relayhost = [mail.isp.example]
    # Alternative form:
    # relayhost = [mail.isp.example]:submission
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
/etc/postfix/sasl_passwd:
    # destination                   credentials
    [mail.isp.example]              username:password
    # Alternative form:
    # [mail.isp.example]:submission username:password
Important

Keep the SASL client password file in /etc/postfix, and make the file read+write only for root to protect the username/password combinations against other users. The Postfix SMTP client will still be able to read the SASL client passwords. It opens the file as user root before it drops privileges, and before entering an optional chroot jail.

Configuring Sender-Dependent SASL authentication

Postfix supports different ISP accounts for different sender addresses (version 2.3 and later). This can be useful when one person uses the same machine for work and for personal use, or when people with different ISP accounts share the same Postfix server.

To make this possible, Postfix supports per-sender SASL passwords and per-sender relay hosts. In the example below, the Postfix SMTP client will search the SASL password file by sender address before it searches that same file by destination. Likewise, the Postfix trivial-rewrite(8) daemon will search the per-sender relayhost file, and use the default relayhost setting only as a final resort.

/etc/postfix/main.cf:
    smtp_sender_dependent_authentication = yes
    sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    relayhost = [mail.isp.example]
    # Alternative form:
    # relayhost = [mail.isp.example]:submission
/etc/postfix/sasl_passwd:
    # Per-sender authentication; see also /etc/postfix/sender_relay.
    user1@example.com               username1:password1
    user2@example.net               username2:password2
    # Login information for the default relayhost.
    [mail.isp.example]              username:password
    # Alternative form:
    # [mail.isp.example]:submission username:password
/etc/postfix/sender_relay:
    # Per-sender provider; see also /etc/postfix/sasl_passwd.
    user1@example.com               [mail.example.com]:submission
    user2@example.net               [mail.example.net]